Nearly every single organisation has third-party suppliers, and with these external services comes risk.
Two areas to consider with third-party risk concern brand reputation and compliance with the law.
Last year we saw some major cyber incidents that demonstrated only too well that companies must think not only about their own security practices, but also those of their suppliers.
One of the biggest supply chain attacks in 2017 took place as a result of a breach of a Ukrainian accounting software company that provided services to a range of organisations globally. While the firm certainly lacked proper security controls, they were nevertheless trusted by their clients. A threat actor was able not only to infiltrate their systems, but also to push out malware to all their customers, resulting in massive damage on a global scale. The ransomware attack with which we are all now familiar – NotPetya – was an incident that really opened our eyes to third-party risk: it illustrated the use of an attack on a trusted supplier to gain access to much more lucrative targets.
Threat actors now understand that a chink in the armour of some of the bigger companies may come in the form of their supply chain. Smaller organisations may not have the funds to implement a proper security strategy or this may not even be very high on their list of priorities: they therefore become a very attractive target. Ransomware is big business for cybercriminals, and although phishing is the number one vector for distribution, these attacks are becoming much more sophisticated and dangerous. NotPetya was a wiper, so there was really no chance for data recovery even if the ransom was paid.
Last year, our active monitoring picked up a significant breach of an engineering company in Saudi Arabia that supplied business to critical infrastructure in the Middle East region. Compromised data included financial information, project bids, blueprints, contracts, CVs of employees, salary information and CEO desktop files. Affected clients that were doing business with this organisation were then informed so they could take immediate action. In this instance, we were aware of the breach before the company. This highlights the power of cyber threat intelligence (CTI) and the type of protection organisations need to mitigate this threat.
And in another example, late last year we discovered a further breach of a major defence contractor in Europe, the sort of breach that could wreak havoc in extremely undesirable ways. This particular incident could have had very serious negative implications for their client-base: military organisations. Data leaked included usernames, email addresses, passwords, directory listings and images of various scanned documents. All documents were marked as ‘Company Confidential’.
So how can you protect yourself from this threat?
As we approach the deadline for the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018, it is imperative that you prepare for the challenges ahead. Visibility around your third-party suppliers is of critical importance. Although your organisation may have applied the appropriate security standards that will allow you to comply with the upcoming regulation, your third-party vendors may be lagging behind. Ensure due diligence around your existing suppliers and before taking on new ones as well as throughout the length of the contract. Failure to comply with new and existing regulations will result in severe financial penalties.
Once on board, utilise CTI for ongoing monitoring. In a recent blog post, we discussed vulnerability situational awareness. Sometimes, a vulnerability will surface before a patch is released, which can cause organisations tremendous anxiety. Probably one of the best examples of this concerns the recent vulnerabilities (Meltdown and Spectre) in Intel processors. The number of companies supplied by Intel on a global scale is staggering. Millions of people were affected, and even with the best security in place, many were vulnerable to attack. Unfortunately, in this situation you are at the mercy of the vendor, and regardless of their actions, reputational damage will fall squarely on your shoulders. Having some sort of contingency plan in place in the event of this sort of incident is therefore essential.
Thinking specifically about the IT sector, suppliers of computer hardware, software or cyber security services should ideally have ISO certification. Cyjax, though a small company, understands the importance of this, and as a result, we are now fully ISO27001 compliant.
All vendors and contractors in your supply chain must be properly vetted to ensure they are following the same stringent information security standards as practised by your own organisation. This will provide you with a certain level of reassurance that these companies are well-equipped to secure information and prevent a breach.